search

stephent / strapi-provider-upload-aws-s3-plus-cdn

Adaptation of strapi-provider-upload-aws-s3 to support private buckets and download via CDN
Other
13 stars 12 forks source link

High security vulnerability in upstream dependency `aws-sdk` and `xml2js` #8

Open colearendt opened 1 year ago

colearendt commented 1 year ago

With a fresh install on a new project:


                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ xml2js is vulnerable to prototype pollution                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ xml2js                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ strapi-provider-upload-aws-s3-plus-cdn                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ strapi-provider-upload-aws-s3-plus-cdn > aws-sdk > xml2js    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-776f-qx25-q3cc            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 1528 scanned packages
  1 vulnerability requires manual review. See the full report for details.

It looks like bumping the version of the aws-sdk should help.

Thanks for an awesome package!

colearendt commented 1 year ago

FWIW this seems to have been downgraded to moderate?


                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ xml2js is vulnerable to prototype pollution                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ xml2js                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ strapi-provider-upload-aws-s3-plus-cdn                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ strapi-provider-upload-aws-s3-plus-cdn > aws-sdk > xml2js    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-776f-qx25-q3cc            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 1574 scanned packages
  1 vulnerability requires manual review. See the full report for details.